← Back to Security

Vulnerability Disclosure Policy

ClassroomPulse takes security seriously. We appreciate the security research community's efforts in helping keep our users safe. This policy outlines how to report vulnerabilities and what you can expect from us.

Responsible Disclosure Guidelines

We encourage responsible disclosure of security vulnerabilities. To be eligible for recognition and potential rewards, please follow these guidelines:

  • Report vulnerabilities privately to our security team
  • Provide sufficient detail to reproduce the issue
  • Allow reasonable time for us to address the vulnerability before public disclosure
  • Do not access, modify, or delete user data
  • Do not perform actions that could harm our services or users
  • Do not conduct physical security attacks or social engineering

How to Report

Primary Contact

Email: security@classroompulse.io

PGP Key: Available upon request

Response Time: Within 24 hours for critical issues

What to Include

  1. Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
  2. Affected components (URLs, endpoints, or features)
  3. Step-by-step reproduction instructions
  4. Proof of concept (screenshots, videos, or code)
  5. Impact assessment (what data or functionality is at risk)
  6. Your contact information (for follow-up questions)

In Scope

The following are within scope for vulnerability reports:

  • ClassroomPulse web application (*.classroompulse.io)
  • API endpoints (/api/*)
  • Authentication and authorization mechanisms
  • Data validation and sanitization
  • Session management
  • Cryptographic implementations
  • Third-party integrations affecting security

Out of Scope

The following are outside the scope and should not be tested:

  • Denial of Service (DoS) attacks
  • Physical security attacks
  • Social engineering or phishing
  • Attacks on our employees or users
  • Third-party services not under our control
  • Issues already known or previously reported
  • Theoretical vulnerabilities without proof of concept
  • Automated scanning without manual verification

Severity Classification

SeverityDescriptionResponse Time
CriticalRemote code execution, data breach, authentication bypass24 hours
HighPrivilege escalation, sensitive data exposure48 hours
MediumCross-site scripting, CSRF, limited data access7 days
LowInformation disclosure, minor security misconfigurations30 days

Our Commitment

When you report a vulnerability to us, we commit to:

  • Acknowledge receipt within 24-48 hours
  • Provide regular updates on our progress
  • Work with you to understand and validate the issue
  • Address the vulnerability as quickly as possible
  • Notify you when the issue is resolved
  • Recognize your contribution (with your permission)

Recognition

We appreciate the efforts of security researchers. With your permission, we will:

  • Add your name to our Security Hall of Fame
  • Provide a letter of appreciation
  • Consider monetary rewards for critical vulnerabilities (case-by-case basis)
  • Provide references for your security research work

Legal Safe Harbor

When conducting vulnerability research according to this policy, we consider this to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)
  • Exempt from the Digital Millennium Copyright Act (DMCA)
  • Lawful, helpful to the overall security of the Internet

We will not pursue legal action against researchers who:

  • Follow this vulnerability disclosure policy
  • Report vulnerabilities in good faith
  • Avoid privacy violations or harm to users
  • Do not exploit vulnerabilities beyond validation

Previous Security Fixes

We maintain transparency about resolved security issues:

2025-01: Fixed XSS vulnerability in report generation (reported by: Anonymous)
2024-12: Resolved authentication bypass in API endpoint (reported by: Security Researcher)
2024-11: Patched SQL injection in search functionality (reported by: Bug Bounty Hunter)

Contact Information

Security Team Email: security@classroompulse.io

Urgent Security Line: (972) 439-5845

Bug Bounty Platform: Coming Soon

PGP Fingerprint: Available upon request

Note: For general support issues not related to security vulnerabilities, please contact support@classroompulse.io

This vulnerability disclosure policy is subject to change. Last updated: January 2025. Thank you for helping us keep ClassroomPulse secure for all users.

Vulnerability Disclosure Policy | ClassroomPulse | Classroom Pulse